EU: Deep dive into Q&As regarding the 'local laws and government access' section of the new SCCs
On 25 May 2022, the European Commission ('the Commission') published questions and answers1 ('Q&As') with respect to the two sets of Standard Contractual Clauses ('SCCs'): (i) SCCs designed to be used between controllers and processors within the European Economic Area ('EEA') and to address the requirements of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Controller-Processor SCCs'); and (ii) SCCs to be used with respect to the transfer of personal data to countries outside the EEA ('the Data Transfer SCCs'). The Q&As provide practical guidance to organisations on the use of these SCCs. The Commission plans to update the Q&As as new questions arise. David Dumont and Laura Leonard, from Hunton Andrews Kurth LLP, focus on the Q&As related to the local laws and government access section of the Data Transfer SCCs.
The Commission adopted the Controller-Processor SCCs and the Data Transfer SCCs on 4 June 2021. The Data Transfer SCCs replace the various sets of SCCs that were adopted in 2001, 2004, and 2010. The update was necessary to align the Data Transfer SCCs with the GDPR, which became applicable in May 2018, and to make the SCCs more flexible to accommodate the complexity of modern data processing chains. The new SCCs also aim to address the government surveillance issues related to data transfers to non-EU countries that were raised in the decision of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) '(the Schrems II Case').
In the Schrems II Case, the validity of the SCCs as a mechanism to legitimise transfers of personal data to data recipients outside the EEA was recognised by the CJEU. That said, the CJEU took the view that a transfer risk assessment must be conducted to verify whether SCCs provide an essentially equivalent level of protection for the personal data after it has been transferred. A transfer risk assessment must take into account the legal framework of the country where the data recipient is located, particularly the country's privacy and government surveillance laws. Depending on the outcome of this transfer risk assessment, supplementary measures and safeguards may need to be implemented to address the risks identified and ensure a level of protection that is essentially equivalent to the level of protection afforded to personal data in the EEA.
In order to address the Schrems II Case, the Commission incorporated Clauses 14 and 15 into the Data Transfer SCCs. Clauses 14 and 15 require the parties to carry out a transfer risk assessment and set forth a number of obligations with respect to handling requests from government authorities to access personal data transferred under the Data Transfer SCCs. Below are key takeaways from the 'Local Laws and Government Access' Section of the Q&As that is aimed at clarifying the parties' obligations under Clauses 14 and 15 of the Data Transfer SCCs.
Overview and key takeaways from the Q&As on local laws and government access
Transfer Risk Assessment (Clause 14)
Clause 14 requires the parties to carry out a transfer risk assessment to verify whether the laws and practices of the receiving third country could prevent the data importer from complying with the Data Transfer SCCs. This obligation mainly falls on the data exporter. That said, the data importer must provide the data exporter with the information relevant to the data exporter's transfer risk assessment and cooperate with the data exporter. In conducting the assessment, the parties must take into account the laws and practices that are relevant in the specific context and circumstances of the transfer, such as the types and format of the transferred data, the types of recipients, the economic sector in which the transfer takes place, and the length of the processing chain. The obligation to assess the risks related to a data transfer is not a one-time exercise that needs to be completed prior to entering into the Data Transfer SCCs. Instead, Clause 14 of the Data Transfer SCCs provides that the data importer must notify the data exporter promptly if, after having entered into the SCCs, it has reasons to believe that it is or has become subject to laws and practices that are not in line with the Data Transfer SCCs.
If the transfer risk assessment shows that the Data Transfer SCCs alone will not ensure an essentially equivalent level of protection for the personal data in the receiving third country, supplementary safeguards will need to be implemented, such as end-to-end encryption of data in transit and at rest. If no supplementary safeguards can be implemented for the data transfers at hand, the data exporter must take steps to terminate the Data Transfer SCCs or suspend the transfers.
Many organisations were hoping that the Q&As would provide further clarity on their obligations with respect to international data transfers under the GDPR following the Schrems II Case and the interaction between the Data Transfer SCCs and the European Data Protection Board ('EDPB') Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data2 ('the Recommendations on Supplementary Measures'). However, Question 40 of the Q&As simply confirms that Clause 14 of the Data Transfer SCCs cannot be read in isolation and should instead be read in combination with the Recommendations on Supplementary Measures. This confirms that the Data Transfer SCCs alone are not necessarily sufficient to legitimise data transfers outside the EEA. Instead, organisations are required to take additional steps, which include conducting and maintaining a data transfer risk assessment, as well as implementing supplementary safeguards in certain cases.
Notification of Government Access Requests (Clause 15.1)
Under Clause 15.1 of the Data Transfer SCCs, the data importer is required to promptly notify the data exporter and concerned data subjects when receiving a government authority request to disclose personal data transferred under the Data Transfer SCCs or when becoming aware of any direct access by public authorities to such personal data. Notification to the data subjects is only required where feasible in practice, potentially with the assistance of the data exporter who has the direct relationship with the individuals. If notifying the data exporter of a government authority request is prohibited by law, the data importer must use its best efforts to obtain a waiver of the prohibition and communicate as much information about the request as possible to the data exporter.
In addition, Clause 15.1 of the Data Transfer SCCs requires the data importer to provide the data exporter with aggregate information about the government authority requests it receives, unless it is prohibited to provide such information under the national laws of the country where the data importer is located. The aggregate information should include the number of requests received over a certain period of time, type of data requested, requesting authority or authorities, whether requests have been challenged, and the outcome of such challenges.
Clause 15.1 also contains an additional notification requirement requiring the data importer to promptly notify the data exporter if it becomes subject to laws or practices that prevent it from complying with the SCCs.
Challenging Government Access Requests (Clause 15.2)
Under Clause 15.2 of the Data Transfer SCCs, the data importer is required to review the lawfulness of government authority requests it receives under the applicable national law and to exhaust all available remedies to challenge them. However, as confirmed by Question 43 of the Q&As, the data importer is only required to challenge government authority requests if it concludes, based on a reasonable assessment, that there are grounds under the laws of the receiving third country to do so. This assessment must be appropriately documented and provided to the data exporter (where permissible) and the competent supervisory authority upon request. In challenging government authority requests, the data importer should make use of domestic legal procedures. Question 43 clarifies that if the data importer unsuccessfully challenged a request but believes there are sufficient grounds to appeal the outcome of the decision, it should appeal the decision.
Module 4 of the SCCs
As confirmed by Question 44 of the Q&As, Section III of the Data Transfer SCCs contains a specific exemption that applies when Module 4 of the SCCs is used by an EEA data processor that returns data originally received from a non-EEA data controller to that same data controller. In that case, conducting a transfer risk assessment is not required, nor complying with the obligations to notify the data exporter and data subjects of government access requests and to challenge those requests, as the personal data was originally processed outside the EEA where it was subject to the domestic legal framework. However, this exemption does not apply if the data that is transferred by the exporting data processor to its importing data controller also includes personal data originating from the EEA.
1. Available at: https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf
2. Available at: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en